Explore a 22-minute conference talk that delves into InfluxData's journey of implementing container image signing for their SaaS offering. Learn how the company integrated this security measure across approximately 100 different container images deployed on numerous Kubernetes clusters in major cloud platforms. Discover the motivations behind this initiative and its expected outcomes from both DevOps and security team perspectives. Follow InfluxData's roadmap from having no image signing to implementing partial checks, and finally requiring signed images for all critical workloads. Gain insights into the challenges of managing over 50 microservices with images built multiple times daily through CI/CD processes. Understand the nuances of signing various image types, including open-source images from internal teams and those provided by other companies. Dive into technical details of secure image signing implementation across multiple CI/CD systems and key management strategies. Explore plans for addressing security issues, including regular key rotation and updating image signatures while invalidating older public keys.
Sigstore - How We Learned to Stop Trusting Registries and Love Signatures
CNCF [Cloud Native Computing Foundation] via YouTube
Overview
Syllabus
Sigstore Or: How We Learned to Stop Trusting Registries and Love Sig... Wojciech Kocjan & Tyson Kamp
Taught by
CNCF [Cloud Native Computing Foundation]
Related Courses
-
Who's Verifying Your Signatures? Approaching Private Container Image Signing
-
Securing GitOps Supply Chain with Sigstore and Kyverno
-
Securing the Supply Chain with Sigstore Artifact Signatures at Scale
-
Modernizing Image Security in CI/CD with Cosign and OPA
-
Using Docker Content Trust with Kubernetes Admission Controllers to Secure Runtime
-
Image Signing and Runtime Verification at Scale - Datadog's Journey
